Role Binding¶
This chapter will detail how to:
- Grant/modify permissions (Roles) on given Resources to a User (Idp or Robot User).
- Remove all permissions on a Ressource from a User (Idp or Robot User).
Default Privileges
- Root User: The activation of the Authentication and Authorization feature generates a Root User with unalterable and unrevokable
clusterAdmin
privileges. - Robot User: Robot users do not have any permission by default. They will need to be set by a
clusterAdmin
. - The case of the Pipeline User: In Pachyderm, you do not explicitly grant users access to pipelines, they get set for you when you create or update a pipeline.
Rules to keep in mind
- A user or group can have one or more roles on a specific Resource.
- Roles are inherited: if a user has a role on a cluster, they have that role for all projects and repos in that cluster.
- The creator of a repo becomes its
repoOwner
. - To update a pipeline, you must have at least
repoReader
-level access to all pipeline inputs andrepoWriter
-level access to the pipeline output. This is because pipelines read from their input repos and write to their output repos. - When a user subscribes a pipeline to a repo, Pachyderm sets that user as an
repoOwner
of that pipeline's output repo. If additional users need access to the output repository, the initialrepoOwner
of a pipeline's output repo, or aclusterAdmin
, needs to grant that user access to the repo.
Set Roles to Users¶
-
A clusterAdmin can grant admin privileges on a cluster or any lower level ressources to other users.
-
A repoOwner of a given repository (or a clusterAdmin as mentioned above) can set any level of access to "their" repo to users by running the command:
pachctl auth set <ressource> <ressource name> [role1,role2 | none ] <prefix:subject>
Note
Alternatively, you have the option to set your cluster roles directly through Helm using the helm value: pachd.pachAuthClusterRoleBindings.
For example, grant reader access to all repos to a specific group:
pachd:
pachAuthClusterRoleBindings: |
group:data-scientists:
- repoReader
paul@company.com
the clusterAdmin role, and the robot user wallie
logReader rights on the cluster. pachd:
pachAuthClusterRoleBindings: |
user: paul@company.com:
- clusterAdmin
robot:wallie:
- logReader
To keep using our Auth0 example and illustrate the attribution of a given Role to a User, let's have our Root User
(with default clusterAdmin privileges) give repoReader
access to a repo to our one-pachyderm-user@gmail.com
user.
In particular, we will:
- Connect as our Root User again.
- Create a repo named
testinput
containing one text file. - Grant
repoReader
access on this repo to our userone-pachyderm-user@gmail.com
registered with our IdP (Auth0). - See what happens when
one-pachyderm-user@gmail.com
tries to write in the repo without the proper writing access.
-
First, let's connect as our Root User:
You will be asked to re-enter your Root token.pachctl auth use-auth-token
-
Second, create a Repo as follow:
A quickmkdir -p ./testinput printf "this is a test" >./testinput/test.txt pachctl create repo testinput cd testinput && pachctl put file testinput@master -f test.txt
pachctl list repo
will list your new repo and display your access level on that repo as a clusterAdmin. -
Third, grant
repoReader
access to our userone-pachyderm-user@gmail.com
:... and take a quick look at his access level:pachctl auth set repo testinput repoReader user:one-pachyderm-user@gmail.com
The command returns the list of users granted access to this repo and their associated access level.pachctl auth get repo testinput
user:one-pachyderm-user@gmail.com: [repoReader] pach:root: [repoOwner]
Note
Note that the user
one-pachyderm-user@gmail.com
has a prefixuser
. Pachyderm defines 4 prefixes depending on the type of user:- robot
- user
- group
- pipeline (as mentioned above, this prefix will not be used in the context of granting privileges to users. However, it does exist. We are listing it here to give an exhauxtive list of all prefixes.)
Aditionnally, the "everyone" user
allClusterUsers
has no specific prefix. See the example below to learn how to assign repoReader access toallClusterUsers
on a repo. -
Finally, have
one-pachyderm-user@gmail.com
try to add a file totestinput
without proper writing privileges:The command returns an error message:# Login as `one-pachyderm-user@gmail.com` pachctl auth login # Try to write into testinput repo printf "this is another test" >./testinput/anothertest.txt cd testinput && pachctl put file testinput@master -f anothertest.txt
user:one-pachyderm-user@pachyderm.io is not authorized to perform this operation - needs permissions [REPO_WRITE] on REPO testinput
Info
Use --help
to display the list of all available commands, arguments, and flags of the command pachctl auth set
.
Note
-
To alter a user's privileges, simply re-run the
pachctl auth set
command above with a different set of Roles. For example,will give one-pachyderm-user@gmail.compachctl auth set repo testinput repoWriter user:one-pachyderm-user@gmail.com
repoWriter
privileges when they were inially grantedrepoReader
access. -
You can remove all access level on a repo to a user by using the
none
keyword. For example,will remove any previous granted rights on the repopachctl auth set repo testinput none user:one-pachyderm-user@gmail.com
testinput
to the user one-pachyderm-user@gmail.com. -
To assign
repoReader
access toallClusterUsers
on a repo:pachctl auth set repo testinput repoReader allClusterUsers
Set Roles to Groups¶
If your IdP enables group support, you can grant access on Pachyderm ressources to a group of users.
Let's keep using our Auth0 example as an illustration, and:
- As a
clusterAdmin
, create a Group in Auth0. - Assign our user to the newly created group.
- Update our connector accordingly.
- Grant the group an owner access to a specific repo in Pachyderm.
Info
To enable the Group creation in Auth0, you will need to install an Authorization Extension
to Auth0:
- Go to Auth0 Dashboard > Extensions.
- Select Auth0 Authorization and answer the prompt to install.
- Choose where you would like to store your data: Webtask Storage for this example and click Install
- Additionally, because Auth0 does not include the groups in the ID token when you use the Authorization Extension above, you will have to manually edit the following rule:
- In the Auth Pipeline menu on the left, in Rules, click on
auth0-authorization-extension
. This will take you to the Edit Rule page of the extension. - Copy the following
context.idToken['http://pachyderm.com/groups'] = user.groups;
line 35 and Save your changes.
- In the Auth Pipeline menu on the left, in Rules, click on
-
1- Group creation
An Authorization link should now show on your Auth0 webpage. In Authorization/Groups, create a group. Here
testgroup
: -
2- Add your user to your group
In Authorization/Users, select your user one-pachyderm-user@gmail.com and add them to your
testgroup
as follow.In User Mangement/Users, you user should now show the following addition to their app_metadata:
- 3- Update your connector{ "authorization": { "groups": [ "testgroup" ] } }
{ "type": "oidc", "id": "auth0", "name": "Auth0", "version": 1, "config":{ "issuer": "https://dev-k34x5yjn.us.auth0.com/", "clientID": "hegmOc5rTotLPu5ByRDXOvBAzgs3wuw5", "clientSecret": "7xk8O71Uhp5T-bJp_aP2Squwlh4zZTJs65URPma-2UT7n1iigDaMUD9ArhUR-2aL", "redirectURI": "http://<ip>:30658/callback", "scopes": ["groups", "email", "profile"], "claimMapping":{ "groups": "http://pachyderm.com/groups" }, "insecureEnableGroups": true } }
type: oidc id: auth0 name: Auth0 version: 1 config: issuer: https://dev-k34x5yjn.us.auth0.com/ clientID: hegmOc5rTotLPu5ByRDXOvBAzgs3wuw5 clientSecret: 7xk8O71Uhp5T-bJp_aP2Squwlh4zZTJs65URPma-2UT7n1iigDaMUD9ArhUR-2aL redirectURI: http://<ip>:30658/callback scopes: - groups - email - profile claimMapping: groups: http://pachyderm.com/groups insecureEnableGroups: true
Note the addition of the
scopes
andclaimMapping
fields to your original connector configuration file. Update your connector:Your group is all set to receive permissions to Pachyderm's ressources.pachctl idp update-connector auth0 --version 2
-
4- Grant the group an admin access to a specific repo in Pachyderm.
A quick check at this repo should give you its updated list of users an their access level:pachctl auth set repo testinput repoOwner group:testgroup
System Responsepachctl auth get repo testinput
pach:root: [repoOwner] user:another-pachyderm-user@gmail.com: [repoReader] group:testgroup: [repoOwner]
Useful note
The following command
pachctl auth get-groups
lists the groups that have been defined on your cluster.
Example¶
In this diagram, the data-scientists
group has been assigned the repoReader
role on the cluster. This gives them permissions to read all repos in all projects.
The IdP user one-pachyderm-user@company.io
has been assigned the repoOwner
role on the nlp
project. This gives them permission to read, write and grant permissions for repos within the nlp project. It does not give them any permission on the image-recognition
project, or on the cluster
itself.
If one-pachyderm-user@company.io
was a member of the data-scientists
group, then they would cumulate both roles: repoReader
on all repo and repoOwner
on the nlp
project.
The IdP user another-pachyderm-user@company.io
has been assigned the repoWriter
role on the repo categorize-text
. This gives them permission to read and write in that repo, but not to access any other repo, project, or the cluster itself.